1 Reply Latest reply on Jun 20, 2005 10:29 AM by starksm64

    anyone know of a fix for this critical vulnerability?

    adrianwilford Jun 20, 2005 4:50 AM

      http://www.securityfocus.com/archive/1/402653/30/0/threaded

      I have seached the forums and JIRA, and i cant find any reference to this!

      Thanks,
      Adrian

      • 14924 Views
      • Tags:
        • 1. Re: anyone know of a fix for this critical vulnerability?
          starksm64
          starksm64 Jun 20, 2005 10:29 AM (in response to adrianwilford)

          If you read the security advisory, the fix is mentioned at the end. Edit the conf/jboss-service.xml and set the DownloadServerClasses attribute to false in the WebService mbean configuration:

          
<mbean code="org.jboss.web.WebService"
name="jboss:service=WebService">
 <attribute name="Port">8083</attribute>
 <!-- Should resources and non-EJB classes be downloadable -->
 <!-- old <attribute name="DownloadServerClasses">true</attribute> -->
 <!-- new --> <attribute name="DownloadServerClasses">false</attribute>
 <attribute name="Host">${jboss.bind.address}</attribute>
 <attribute name="BindAddress">${jboss.bind.address}</attribute>
</mbean>



            • Actions